Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keycloak_user_federation: add module argument that allows excluding bindCredential from update check #8898

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

keycloak_user_federation: add module argument that allows excluding bindCredential from update check #8898

wants to merge 2 commits into from
+23 −3

Conversation

fgruenbauer
Copy link
Contributor

@fgruenbauer fgruenbauer commented Sep 22, 2024
edited
Loading

SUMMARY

Keycloak redacts the value of the parameter bindCredential (ldap admin password) in its responses, which makes diff and change detection difficult. The desired and the before/existing value can never really be equal unless bindCredential is set to ********** or both are not set at all. This leads to the module always making an update if a value is set for bindCredential. The module might still return changed = false, because after an update the module compares before and after state. In check mode changed is always true but the diff empty, because the parameter is overwritten in the sanitize function.

The added module argument would allow users to exclude the bindCredential parameter when comparing before and desired state. This would prevent unnecessary updates and check mode always having changed = true.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

keycloak_user_federation

ADDITIONAL INFORMATION
  1. create ldap user federation and set bindCredential value
  2. run module in check mode

@ansibullbot
Copy link
Collaborator

cc @eikef @laurpaum @mattock @ndclt @thomasbach-dev
click here for bot help

@ansibullbot ansibullbot added WIP Work in progress bug This issue/PR relates to a bug module module plugins plugin (any type) labels Sep 22, 2024
russoz
russoz reviewed Sep 23, 2024
View reviewed changes
Copy link
Collaborator

@russoz russoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @fgruenbauer

Thank you for the contribution! Please add a changelog fragment.

Other than that, it does LGTM.

@fgruenbauer fgruenbauer marked this pull request as ready for review September 23, 2024 11:07
russoz
russoz approved these changes Sep 23, 2024
View reviewed changes
Copy link
Collaborator

@russoz russoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM

@ansibullbot ansibullbot removed the WIP Work in progress label Sep 23, 2024
@felixfontein felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-9 Automatically create a backport for the stable-9 branch labels Sep 23, 2024
felixfontein
felixfontein reviewed Sep 23, 2024
View reviewed changes
Copy link
Collaborator

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

plugins/modules/keycloak_user_federation.py
- Set to V(true) to exclude O(config.bindCredential) when comparing the before state with the desired state to
determine wether an update is required.
type: bool
default: false
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, how about using a string state with two states (choices) instead of a boolean? Then it is possible to later add more options, if for example the API is changed to allow other ways to handle this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixfontein felixfontein felixfontein left review comments

@russoz russoz russoz approved these changes

Assignees
No one assigned
Labels
backport-9 Automatically create a backport for the stable-9 branch bug This issue/PR relates to a bug check-before-release PR will be looked at again shortly before release and merged if possible. module module plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fgruenbauer @ansibullbot @russoz @felixfontein